[ https://issues.apache.org/jira/browse/HTTPCLIENT-1855?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16188100#comment-16188100
]
Alessandro Gherardi commented on HTTPCLIENT-1855:
-------------------------------------------------
I believe fixing this issue may be as simple as making the following change in org\apache\http\client\protocol\RequestAuthCache.java:
{code:java}
138c135
< if ("BASIC".equalsIgnoreCase(authScheme.getSchemeName())) {
---
> if ("BASIC".equalsIgnoreCase(authScheme.getSchemeName()) || "DIGEST".equalsIgnoreCase(authScheme.getSchemeName()))
{
{code}
> Digest auth: Nonce counter not incremented after reuse
> ------------------------------------------------------
>
> Key: HTTPCLIENT-1855
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1855
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Affects Versions: 4.5.2
> Reporter: Alessandro Gherardi
> Assignee: Oleg Kalnichevski
> Fix For: 5.0 Alpha3
>
> Attachments: HttpClientDigest.java, wireshark.txt
>
>
> I have a client app using httpclient 4.5.2 with BasicCredentialsProvider and BasicAuthCache.
and web server that requires HTTP digest authentication.
> The client sends 3 requests to the web server.
> When the app sends the first request, the server returns an HTTP 401 with a digest challenge.
httpclient automatically retries the request with the Authorization header. The header contains
the nonce returned by the server and a nonce counter (nc) of 1. The retry succeeds and httpclient
caches the DigestScheme.
> For the second request, httpclient uses the cached DigestScheme to calculate the Authorization
header pre-emptively. The header contains the same nonce and specifies a nonce counter of
2. The request succeed without requiring a retry.
> For the third request, httpclient uses the cached DigestScheme to calculate the Authorization
header pre-emptively. Even though the header contains the same nonce, the nonce counter is
set to 2 again. This causes the server to return a 401. httpclient should have incremented
the nonce counter to 3.
> I believe that the root cause of this problem is that, although DigestScheme increases
the nonceCount field every time the authenticate() method is called, HttpAuthenticator does
not re-cache DigestScheme after reusing it. The re-cache is needed because BasicAuthCache
stores DigestScheme in serialized format.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org